Do you allow your staff members to use smart devices in the office (i.e., smart phones, smart watches, smart speakers)? Do you have a policy in place to safeguard patient information from access by those smart devices?
In an era where technology continues to advance at an exponential rate, the healthcare industry (along with most industries) is constantly “playing catch up.” Chances are that most, if not all, of your staff members use a smart phone while at work. In addition, some staff members may use smart watches, and others (likely fewer) may use, or have inquired about using, smart speakers to listen to music in the office. Given the voice-assistant capabilities of those devices, there are safeguards that must be put in place to prevent potential HIPAA violations and/or breaches. Below are the three (3) most common smart devices and the patient privacy issues that should be addressed in an internal office policy if you are going to permit staff members to use those smart devices in the office:
Smart phones: Given the ubiquitous nature of smart phones in our society, prohibiting the use of the devices in the office is not realistic. That said, usage policies should be implemented which limit, or negate, the ability of such devices to access patient information. While prohibiting the use of phones during work hours is one step, it is likely not enough to sufficiently protect patient information. For staff that use the voice-assistant capabilities of their devices (i.e. Siri, Cortana, Google), their devices are always “listening” to communications occurring when the capability is activated. However, there are methods by which this capability can be deactivated, at least when the phone is “locked”. By requiring such deactivation, combined with the prohibition of phone use during work hours, you can more effectively prevent staff members from inadvertently giving their devices’ access to patient data.
Smart watches: Smart watches are less prevalent than smart phones, but their usage rate continues to grow. Smart watches generally have the same capabilities as their complementary smart phone (i.e., phone calls, texting, voice-assistant). Additionally, these devices also have the ability to deactivate the voice-assistant capability. Accordingly, if smart watches are permitted in the office, your internal office policy should contain the same limitation on the use of the smart watch’s voice-assistant during work hours.
Smart speakers: Smart speakers are most often used in the privacy of individuals’ homes. However, some staff members may desire to use the speaker in the office to play music, set reminders and perform other tasks. Although the speakers have the capability of working without using the voice-assistant technology, it is rare for individuals to use the speaker without such technology. Accordingly, we generally recommend that smart speakers be prohibited from use in the physician office. Unlike smart phones and (potentially) smart watches, smart speakers are not necessary for staff members’ daily living. Further, given the intended use of the speakers (i.e. to play music, research miscellaneous facts, set reminders), it does not make practical sense to use the devices without the voice-assistant capability. As a result, any policy that prohibits use of the voice-assistant during work hours would be futile and negate the convenience of the device itself.
As advancements in technology continue and new smart devices are developed, you will need to revisit whether the use of those devices post a threat to your patients’ privacy rights and your office’s HIPAA compliance. Your internal policies should be reviewed periodically to ensure that they address any new risks that are created by use of such devices.
If your office is interested in developing and implementing a device policy, please contact our firm.